G0087: APT39
APT39 is one of several names for cyber espionage activity conducted by the Iranian Ministry of Intelligence and Security (MOIS) through the front company Rana Intelligence Computing since at least 2014. APT39 has primarily targeted the travel, hospitality, academic, and telecommunications industries in Iran and across Asia, Africa, Europe, and North America to track individuals and entities considered to be a threat by the MOIS.[1][2][3][4][5]
Analyst context for executives and security teams
APT39 matters because MITRE describes it as long-running espionage activity tied to MOIS through Rana Intelligence Computing, with targeting of travel, hospitality, academic, and telecommunications organizations across multiple regions. For leaders, the practical issue is not just malware names; it is whether the organization can detect credential theft, lateral movement, remote access, web shells, internal discovery, and data collection before sensitive personal or operational information leaves the environment.
Executive priority
Prioritize this as an identity, data-protection, and incident-readiness use case, especially if the organization operates in or supports travel, hospitality, academia, telecommunications, or high-risk regions named by MITRE. Executives should ask whether SOC coverage can prove visibility into credential dumping, remote administration abuse, internal reconnaissance, and exfiltration paths, and whether IR teams can rapidly scope compromised accounts and systems. This object also supports audit and compliance discussions around privileged access control, logging completeness, and evidence of monitoring for data access and outbound transfer.
Technical view
ATT&CK provides no official detection text and no group-level platforms or tactics, so validation should be relationship-driven. The related software and techniques point to a Windows-heavy credential and lateral-movement pattern, including Mimikatz, Windows Credential Editor, pwdump, CrackMapExec, PsExec, RDP, SMB/admin shares, LSASS memory access, registry queries, user and remote system discovery, web shell activity via ASPXSpy, FTP transfer, RAT/backdoor tools such as Remexi, Cadelspy, and MechaFlounder, and exfiltration over a C2 channel. SOC and IR teams should test whether endpoint, identity, network, and server logs can connect these behaviors into one intrusion narrative rather than isolated alerts.
Likely telemetry
- Windows endpoint telemetry for process creation, suspicious credential access, LSASS memory access, registry queries, service creation, and execution from unusual paths
- Authentication and identity logs for unusual privileged logons, RDP sessions, SMB/admin share access, and SSH where applicable
- Network telemetry for internal host discovery, SMB/RDP/SSH activity, FTP use, outbound C2-like communications, and anomalous data transfer
- Web server logs and file integrity evidence for possible ASPX web shell placement or execution
- File and malware telemetry for packed, encrypted, encoded, or masqueraded executables and scripts
Detection direction
- Validate detections for credential dumping and LSASS access, including use of known tools such as Mimikatz, Windows Credential Editor, and pwdump, while accounting for authorized security testing noise.
- Correlate discovery commands and behaviors, such as remote system discovery, user discovery, registry queries, and NBTscan-like activity, with subsequent authentication or lateral movement.
- Baseline legitimate RDP, SMB/admin share, SSH, PsExec, and FTP usage; these are dual-use paths and require context such as source host, account privilege, time, destination, and change-ticket evidence.
- Review web-facing Windows servers for web shell indicators and suspicious ASPX activity, especially where ASPXSpy-like behavior would be possible.
- Tune for obfuscation blind spots: packed, encrypted, encoded, or legitimately named files may reduce signature-only detection value.
Mitigation priorities
- Start with privileged access hygiene: reduce standing admin rights, separate admin accounts, enforce strong authentication for remote access, and monitor privileged credential use.
- Restrict and monitor lateral movement paths such as RDP, SMB/admin shares, SSH, and remote execution tools; allow only documented administrative workflows.
- Harden systems that can host web shells, especially externally reachable web servers, and maintain change control over web directories and server-side scripts.
- Improve endpoint hardening and logging around credential material, process access, suspicious tooling, and execution from trusted-looking paths.
- Apply network egress controls and monitoring for FTP, unusual outbound sessions, and potential C2-channel data transfer.
Analyst notes and limits
The strongest decision value comes from combining the group description with the listed relationships. APT39 is described by MITRE as espionage activity focused on tracking individuals and entities, and the related techniques/software emphasize credential access, discovery, lateral movement, remote access, web shells, obfuscation, collection, and exfiltration. Treat this as a coverage assessment for identity-centric intrusion response rather than a single malware detection problem.
MITRE provides no official detection guidance and no group-level platforms or tactics for this object. Related software and techniques identify behaviors to validate, but they do not prove those tools or techniques are present in any specific environment. Local asset exposure, sector relevance, authentication patterns, and logging completeness are required to assess risk and coverage.
APT39
APT39 is one of several names for cyber espionage activity conducted by the Iranian Ministry of Intelligence and Security (MOIS) through the front company Rana Intelligence Computing since at least 2014. APT39 has primarily targeted the travel, hospitality, academic, and telecommunications industries in Iran and across Asia, Africa, Europe, and North America to track individuals and entities considered to be a threat by the MOIS.[1][2][3][4][5]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1046 | Network Service Discovery | APT39 has used CrackMapExec and a custom port scanner known as BLUETORCH for network scanning.CitationFireEye APT39 Jan 2019CitationBitDefender Chafer May 2020 |
| Enterprise | T1547.001 | Registry Run Keys / Startup Folder Sub-technique | APT39 has maintained persistence using the startup folder.CitationFireEye APT39 Jan 2019 |
| Enterprise | T1090.002 | External Proxy Sub-technique | APT39 has used various tools to proxy C2 communications.CitationBitDefender Chafer May 2020 |
| Enterprise | T1140 | Deobfuscate/Decode Files or Information | APT39 has used malware to decrypt encrypted CAB files.CitationFBI FLASH APT39 September 2020 |
| Enterprise | T1056.001 | Keylogging Sub-technique | APT39 has used tools for capturing keystrokes.CitationSymantec Chafer February 2018CitationFBI FLASH APT39 September 2020 |
| Enterprise | T1005 | Data from Local System | APT39 has used various tools to steal files from the compromised host.CitationSymantec Chafer February 2018CitationFBI FLASH APT39 September 2020 |
| Enterprise | T1059.001 | PowerShell Sub-technique | APT39 has used PowerShell to execute malicious code.CitationBitDefender Chafer May 2020CitationSymantec Chafer February 2018 |
| Enterprise | T1115 | Clipboard Data | APT39 has used tools capable of stealing contents of the clipboard.CitationSymantec Chafer February 2018 |
| Enterprise | T1003 | OS Credential Dumping | APT39 has used different versions of Mimikatz to obtain credentials.CitationBitDefender Chafer May 2020 |
| Enterprise | T1553.006 | Code Signing Policy Modification Sub-technique | APT39 has used malware to turn off the |
| Enterprise | T1546.010 | AppInit DLLs Sub-technique | APT39 has used malware to set |
| Enterprise | T1547.009 | Shortcut Modification Sub-technique | APT39 has modified LNK shortcuts.CitationFireEye APT39 Jan 2019 |
| Enterprise | T1135 | Network Share Discovery | APT39 has used the post exploitation tool CrackMapExec to enumerate network shares.CitationBitDefender Chafer May 2020 |
| Enterprise | T1569.002 | Service Execution Sub-technique | APT39 has used post-exploitation tools including RemCom and the Non-sucking Service Manager (NSSM) to execute processes.CitationBitDefender Chafer May 2020CitationSymantec Chafer February 2018 |
| Enterprise | T1027.013 | Encrypted/Encoded File Sub-technique | APT39 has used malware to drop encrypted CAB files.CitationFBI FLASH APT39 September 2020 |
| Enterprise | T1588.002 | Tool Sub-technique | |
| Enterprise | T1021.001 | Remote Desktop Protocol Sub-technique | APT39 has been seen using RDP for lateral movement and persistence, in some cases employing the rdpwinst tool for mangement of multiple sessions.CitationFireEye APT39 Jan 2019CitationBitDefender Chafer May 2020 |
| Enterprise | T1033 | System Owner/User Discovery | |
| Enterprise | T1027.002 | Software Packing Sub-technique | |
| Enterprise | T1041 | Exfiltration Over C2 Channel | APT39 has exfiltrated stolen victim data through C2 communications.CitationFBI FLASH APT39 September 2020 |
| Enterprise | T1204.002 | Malicious File Sub-technique | APT39 has sent spearphishing emails in an attempt to lure users to click on a malicious attachment.CitationFireEye APT39 Jan 2019CitationBitDefender Chafer May 2020CitationSymantec Chafer February 2018CitationFBI FLASH APT39 September 2020 |
| Enterprise | T1053.005 | Scheduled Task Sub-technique | APT39 has created scheduled tasks for persistence.CitationFireEye APT39 Jan 2019CitationBitDefender Chafer May 2020CitationFBI FLASH APT39 September 2020 |
| Enterprise | T1070.004 | File Deletion Sub-technique | APT39 has used malware to delete files after they are deployed on a compromised host.CitationFBI FLASH APT39 September 2020 |
| Enterprise | T1102.002 | Bidirectional Communication Sub-technique | APT39 has communicated with C2 through files uploaded to and downloaded from DropBox.CitationBitDefender Chafer May 2020 |
| Enterprise | T1560.001 | Archive via Utility Sub-technique | APT39 has used WinRAR and 7-Zip to compress an archive stolen data.CitationFireEye APT39 Jan 2019 |
| Enterprise | T1505.003 | Web Shell Sub-technique | APT39 has installed ANTAK and ASPXSPY web shells.CitationFireEye APT39 Jan 2019 |
| Enterprise | T1105 | Ingress Tool Transfer | APT39 has downloaded tools to compromised hosts.CitationSymantec Chafer February 2018CitationFBI FLASH APT39 September 2020 |
| Enterprise | T1059.010 | AutoHotKey & AutoIT Sub-technique | APT39 has utilized AutoIt malware scripts embedded in Microsoft Office documents or malicious links.CitationFBI FLASH APT39 September 2020 |
| Enterprise | T1204.001 | Malicious Link Sub-technique | APT39 has sent spearphishing emails in an attempt to lure users to click on a malicious link.CitationFireEye APT39 Jan 2019CitationFBI FLASH APT39 September 2020 |
| Enterprise | T1555 | Credentials from Password Stores | APT39 has used the Smartftp Password Decryptor tool to decrypt FTP passwords.CitationBitDefender Chafer May 2020 |
| Enterprise | T1113 | Screen Capture | APT39 has used a screen capture utility to take screenshots on a compromised host.CitationSymantec Chafer February 2018CitationFBI FLASH APT39 September 2020 |
| Enterprise | T1003.001 | LSASS Memory Sub-technique | APT39 has used Mimikatz, Windows Credential Editor and ProcDump to dump credentials.CitationFireEye APT39 Jan 2019 |
| Enterprise | T1018 | Remote System Discovery | |
| Enterprise | T1071.004 | DNS Sub-technique | APT39 has used remote access tools that leverage DNS in communications with C2.CitationBitDefender Chafer May 2020 |
| Enterprise | T1059 | Command and Scripting Interpreter | APT39 has utilized custom scripts to perform internal reconnaissance.CitationFireEye APT39 Jan 2019CitationFBI FLASH APT39 September 2020 |
| Enterprise | T1074.001 | Local Data Staging Sub-technique | APT39 has utilized tools to aggregate data prior to exfiltration.CitationFBI FLASH APT39 September 2020 |
| Enterprise | T1083 | File and Directory Discovery | APT39 has used tools with the ability to search for files on a compromised host.CitationFBI FLASH APT39 September 2020 |
| Enterprise | T1012 | Query Registry | APT39 has used various strains of malware to query the Registry.CitationFBI FLASH APT39 September 2020 |
| Enterprise | T1110 | Brute Force | APT39 has used Ncrack to reveal credentials.CitationFireEye APT39 Jan 2019 |
| Enterprise | T1197 | BITS Jobs | APT39 has used the BITS protocol to exfiltrate stolen data from a compromised host.CitationFBI FLASH APT39 September 2020 |
| Enterprise | T1136.001 | Local Account Sub-technique | APT39 has created accounts on multiple compromised hosts to perform actions within the network.CitationBitDefender Chafer May 2020 |
| Enterprise | T1059.006 | Python Sub-technique | APT39 has used a command line utility and a network scanner written in python.CitationBitDefender Chafer May 2020CitationFBI FLASH APT39 September 2020 |
| Enterprise | T1036.005 | Match Legitimate Resource Name or Location Sub-technique | APT39 has used malware disguised as Mozilla Firefox and a tool named mfevtpse.exe to proxy C2 communications, closely mimicking a legitimate McAfee file mfevtps.exe.CitationBitDefender Chafer May 2020CitationFBI FLASH APT39 September 2020 |
| Enterprise | T1071.001 | Web Protocols Sub-technique | APT39 has used HTTP in communications with C2.CitationBitDefender Chafer May 2020CitationFBI FLASH APT39 September 2020 |
| Enterprise | T1090.001 | Internal Proxy Sub-technique | APT39 used custom tools to create SOCK5 and custom protocol proxies between infected hosts.CitationFireEye APT39 Jan 2019CitationBitDefender Chafer May 2020 |
| Enterprise | T1078 | Valid Accounts | APT39 has used stolen credentials to compromise Outlook Web Access (OWA).CitationFireEye APT39 Jan 2019 |
| Enterprise | T1056 | Input Capture | APT39 has utilized tools to capture mouse movements.CitationFBI FLASH APT39 September 2020 |
| Enterprise | T1566.002 | Spearphishing Link Sub-technique | APT39 leveraged spearphishing emails with malicious links to initially compromise victims.CitationFireEye APT39 Jan 2019CitationFBI FLASH APT39 September 2020 |
| Enterprise | T1566.001 | Spearphishing Attachment Sub-technique | APT39 leveraged spearphishing emails with malicious attachments to initially compromise victims.CitationFireEye APT39 Jan 2019CitationSymantec Chafer February 2018CitationFBI FLASH APT39 September 2020 |
| Enterprise | T1021.002 | SMB/Windows Admin Shares Sub-technique | APT39 has used SMB for lateral movement.CitationSymantec Chafer February 2018 |
| Enterprise | T1190 | Exploit Public-Facing Application | APT39 has used SQL injection for initial compromise.CitationSymantec Chafer February 2018 |
| Enterprise | T1059.005 | Visual Basic Sub-technique | APT39 has utilized malicious VBS scripts in malware.CitationFBI FLASH APT39 September 2020 |
| Enterprise | T1021.004 | SSH Sub-technique | APT39 used secure shell (SSH) to move laterally among their targets.CitationFireEye APT39 Jan 2019 |
Groups, software, and campaigns
S0590: NBTscan
S0459: MechaFlounder
MechaFlounder is a python-based remote access tool (RAT) that has been used by APT39. The payload uses a combination of actor developed code and code snippets freely available online in development communities.[1]
S0375: Remexi
S0488: CrackMapExec
CrackMapExec, or CME, is a post-exploitation tool developed in Python and designed for penetration testing against networks. CrackMapExec collects Active Directory information to conduct lateral movement through targeted networks.[1]
S0006: pwdump
S0002: Mimikatz
S0005: Windows Credential Editor
Windows Credential Editor is a password dumping tool. [1]
S0454: Cadelspy
S0029: PsExec
S0073: ASPXSpy
ASPXSpy is a Web shell. It has been modified by Threat Group-3390 actors to create the ASPXTool version. [1]
S0095: ftp
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 3.2 | Current bundle | cdee270d3cad… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
FireEye APT39 Jan 2019
Hawley et al. (2019, January 29). APT39: An Iranian Cyber Espionage Group Focused on Personal Information. Retrieved February 19, 2019.
Open source URL -
[2]
Symantec Chafer Dec 2015
Symantec Security Response. (2015, December 7). Iran-based attackers use back door threats to spy on Middle Eastern targets. Retrieved April 17, 2019.
Open source URL -
[3]
FBI FLASH APT39 September 2020
FBI. (2020, September 17). Indicators of Compromise Associated with Rana Intelligence Computing, also known as Advanced Persistent Threat 39, Chafer, Cadelspy, Remexi, and ITG07. Retrieved December 10, 2020.
Open source URL -
[4]
Dept. of Treasury Iran Sanctions September 2020
Dept. of Treasury. (2020, September 17). Treasury Sanctions Cyber Actors Backed by Iranian Intelligence. Retrieved December 10, 2020.
Open source URL -
[5]
DOJ Iran Indictments September 2020
DOJ. (2020, September 17). Department of Justice and Partner Departments and Agencies Conduct Coordinated Actions to Disrupt and Deter Iranian Malicious Cyber Activities Targeting the United States and the Broader International Community. Retrieved December 10, 2020.
Open source URL -
[6]
APT39
(Citation: FireEye APT39 Jan 2019)(Citation: FBI FLASH APT39 September 2020)(Citation: Dept. of Treasury Iran Sanctions September 2020)(Citation: DOJ Iran Indictments September 2020)
-
[7]
Chafer
Activities associated with APT39 largely align with a group publicly referred to as Chafer.(Citation: FireEye APT39 Jan 2019)(Citation: Symantec Chafer Dec 2015)(Citation: Dark Reading APT39 JAN 2019)(Citation: FBI FLASH APT39 September 2020)(Citation: Dept. of Treasury Iran Sanctions September 2020)(Citation: DOJ Iran Indictments September 2020)
-
[8]
Crowdstrike GTR2020 Mar 2020
Crowdstrike. (2020, March 2). 2020 Global Threat Report. Retrieved December 11, 2020.
Open source URL -
[9]
Dark Reading APT39 JAN 2019
Higgins, K. (2019, January 30). Iran Ups its Traditional Cyber Espionage Tradecraft. Retrieved May 22, 2020.
Open source URL -
[10]
ITG07
(Citation: FBI FLASH APT39 September 2020)(Citation: Dept. of Treasury Iran Sanctions September 2020)(Citation: DOJ Iran Indictments September 2020)
-
[11]
Remix Kitten
(Citation: Crowdstrike GTR2020 Mar 2020)
-
[12]
mitre-attack G0087Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.